Hello all! Having worked for a while with various computer systems, primarily Active Directory and Exchange, I wanted to share some of my experiences with two objectives in mind: 1) obtain feedback to improve my mastery of those systems and 2) help others working on the same subject. Other posts are about CentOS, Citrix NetScaler, and VMware.
NOTE: most of my posts are in English but some others in French, with a summary in English. However, some of the CentOS blog posts lack this summary.

Wednesday, March 12, 2014

Windows Server 2012 - Active Directory - Recycle Bin - limitations

What would happen if someone accidently removed a significant number of members from an Active Directory security group? Could the Active Directory Recycle Bin be used to restore those members?

This question was recently asked in the Microsoft Technet Directory Services forum.

The answer is no.

We must distingush between two cases:

Restoring the properties (attributes) of a deleted object, with the object itself, upon recovery.

Reverting changes to properties of an undeleted object to a previous state.

The Active Directory Recycle Bin does not have the ability to track simple changes to objects.

If the object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the future.

In other words, there is no rollback capacity for changes to object properties, or, in other words, to the values of these properties.

I would like to illustrate this distinction with the examples below.

***

First, I will delete a group object - "Group1" - in Active Directory Users and Computers. Note that Group1 has three members: Valerie, Vik and Yvette.

So I delete the group...

Suddenly, I realize that this was not the group I was supposed to delete. Or Management informs me that there was a mistake: in fact, they really wanted me to delete Group2.

Now what?

We have at least two options, provided that...

We schedule regular backups.

We have enabled the Active Directory Recycle Bin (yes, it must be enabled first, and some conditions must be met. Essentially, we must be at what is called the "Windows 2008 R2 Forest Functional Level").

In this blog post, I'm interested in the Recycle Bin option so I open another Active Directory interface, the "Active Directory Administrative Center" (ADAC) and go the "Deleted Items" container:

I open the container and...

There is Group1! Just waiting to be restored! I right-click on the item, select "Restore" and we should be "all set".

Note: the Recycle Bin indicates that last known parent. If we select the simple "Restore" option, the object will be restored to that container. Even if the parent container has been deleted since, we can choose to restore to a different location. Either way, we can recover the object.

But that's not all. Group objects will be recovered with their members:

Here, even if group membership was not re-established automatically, it would be easy enough to re-add the members manually, But that would be infinitely more difficult if a group contained hundreds of members and perhaps numerous nested groups as well.

So we have restored a deleted Active Directory object, a group object in this case, and restored certain properties of the object (its membership) as well. We can consider membership to be a "multivalued" property of the group since more than one value (member) can be indicated.

***

Now I will delete not the group itself but remove one of its members: Valerie Owen.

Will I be able to see this member in the Recycle Bin and restore it?

No. There is nothing to restore. And yes, I waited long enough for replication and so forth to complete. On that subject, the two domain controllers in my virtual network are connected to the same virtual switch. So, no, latency has nothing to do with this. There is simply nothing to restore.

There is nothing to restore because we did not delete the user object representing Valerie Owen. Instead, we removed one of the values of the Group1 membership property that designated this user as a member.

***

At this point, I am quite confident that my assertions above (the first lines of this post) are correct,

But let's perform the same experiment with some user object properties.

Here, among others, we can see the "Description" and the "Office" properties of the Alison Lindsay user object.

I will modify the values of these attributes (synonomous with properties here) as follows:

Does the Recycle Bin track these changes? Can I perform a rollback to the previous values?

No:

***

In conclusion, one should be aware of what the Recycle Bin can and cannot do. If we perform massive changes to group membership, thinking we can always "rollback" if something stops working, we will have a very big surprise!

Moreover, there is still a market for third-party products for Active Directory that do track such changes and can rollback the attributes of an object to a previous state. I cannot recommend one product over another but if you are interested in such a product, you can search for "Active Directory" and "NetIQ" or "Quest".